Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible Denial of Service due to Prometheus Metrics #41

Open
joe-warren opened this issue Dec 20, 2021 · 0 comments
Open

Possible Denial of Service due to Prometheus Metrics #41

joe-warren opened this issue Dec 20, 2021 · 0 comments
Labels
security Security concerns

Comments

@joe-warren
Copy link

The Prometheus counter that is incremented per request contains a label handler which is set to the path of the request, (code here.

Because this isn't validated, making a call to a large number of endpoints (even if these aren't handled) will make the number of labels grow arbitrary large.

This can inflate the size of the /metrics response, which could be used as part of a denial of service, and could potentially consume a lot of storage in your Prometheus database.
@tchoutri tchoutri added the security Security concerns label Dec 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security Security concerns
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joe-warren @tchoutri